Use multi-factor authentication and protect yourself from ransomware, at least that’s what dozens of government and cybersecurity experts advised. Even the Cybersecurity and Infrastructure Security Agency (CISA) states in its website: “MFA increases security because even if one credential is compromised, unauthorized users will not be able to meet the second authentication requirement and will not be able to access the target physical space, computing device, network, or database.”
Could CISA and others be wrong about MFA and ransomware? In early 2022, CISA and the FBI released ajcyber security advisory warning about MFA. Russian state-sponsored threat actors exploited a flaw in the MFA protocols, taking advantage of a misconfigured account set to the default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim’s network. ”
What was once considered a best practice for defending against ransomware is now an attack vector.
“It is important for companies to understand that they need to take a more active role in their own cybersecurity defense. With this MFA vulnerability, it demonstrates that even the most seemingly secure security methods will not stop attackers, especially those sponsored by the Russian state,” said Julia O’Toole, CEO and founder of MyCena, in a formal statement.
Digital access was always flawed
“Flaws in MFA actually stem from a previous design flaw,” O’Toole explained in an email interview. “This happened when we went from the physical to the digital world and people started mixing identity and access.”
Consider how we gain access to physical spaces. To enter a building, we use a key or access code provided to us by a person who was able to confirm our identity with a photo ID card, proper documentation, or simply based on personal knowledge.
The digital world lost those physical reference points, and yet the level of trust in identity increased. Companies removed the stringent requirements needed in the physical world and allowed their employees (and customers) to use their identities to gain access; users create their own keys or passwords to ‘unlock the doors’ of your network, systems and data. The end result is loss of control and visibility of corporate networks, leading to all kinds of cybersecurity incidents.
And of course the bad guys took advantage.
“When passwords are compromised, MFA turns out to be the first layer of protection; used alone, it’s easy to exploit and provides little security,” O’Toole said.
CISA and the FBI warned about the aforementioned incident, but more was to come. In January 2022, the Lapsus$ hacker group breached Okta, simply by sending repeated MFA approval requests to employee phones at third-party support provider Sitel in the early hours of the morning. The requests were approved because people wanted to go back to sleep.
Go beyond MFA
It’s going to be hard to break the MFA habit, especially since many organizations have finally trained their employees on the importance of adding that layer of protection. But it is no longer enough to think that MFA is a foolproof method of keeping networks safe from a ransomware attack.
If the government warns that a flaw is being exploited, it’s because cybercriminals are already far ahead: it’s time to stop relying on MFA.
“The best option is to solve the access control problem at the design level,” O’Toole said. Technology that distributes strong and unique encrypted passwords to each employee for each system is one method to consider.
“People don’t know their passwords, as they remain encrypted from creation, distribution, storage and use until expiration. As organizations control and secure their access end-to-end, they eliminate the risks of human error, password fraud and password phishing,” said O’Toole.
Having access segmentation also gives companies cyber resiliency. “At the moment, starting with an initial compromised password, criminals can use lateral movement and privilege escalation to take over the network, extract and then encrypt files and launch a ransomware attack,” O’Toole said.
By fixing the design flaw in MFA, you eliminate single sign-on or single point of failure. “Since individual passwords are only used when needed, in the event of a supply chain attack, only one system is exposed while the others remain secure.”
Despite its caveat, CISA still recommends MFA as a cybersecurity layer, but the recommendation comes with a caveat: “Before deploying, organizations should review configuration policies to protect against ‘failed open’ and re-enrollment scenarios.” .
Ransomware attacks are getting worse, and news of these MFA flaws is only going to make protecting against ransomware more difficult. But it’s not impossible if cybersecurity teams consider different approaches, preferably ones that verify user identity without the need for phones, key fobs, and access requests arriving in the middle of the night.